Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - charles.adams

Pages: [1] 2

General Discussion / Re: Best protection setup for encrypted traffic? Best network segmentation?

« on: October 29, 2024, 12:14:25 am »

I can't answer question 1 but as to question 2 I would say you'd want to use a firewall run on LAN that lets all LAN net sources reach OPT1 network ports but on the OPT1 Firewall inbound rule you'd only have the OPT network source be able to reach the a inverted alias for RFC1918 addresses. Or perhaps another method you like to have OPT1 reach the internet in the firewall that doesn't let it reach the LAN net.

24.7 Production Series / Getting PKCS #12 format from acme plugin

« on: October 26, 2024, 12:17:09 am »

I'm trying to get a PKCS #12 (a .pfx) out of the ACME plugin while using Lets Encrypt. I want this as several of my jails such as Emby/Jellyfin/Plex need a cert file that contains both keys and have a password set.

I've gotten the built in automation for sending the cert working via the TrueNAS API for the NAS host and I want to use SFTP automation to send the cert to each jail.

However, I'm struggling to find a way to either customize the way that the acme.sh is called so that I can specify a password or set a flag to also output a .pfx in addition to the .pem it currently generates.

Is there a way to accomplish this short of using the SFTP to transfer the cert to the FreeBSD jail and then the remote SSH automation to send a openssl command to convert the .pem and .key into a .pfx with a password?

24.7 Production Series / Re: Unbound DNS - Custom blocklist not being updated by the Cron

« on: October 06, 2024, 05:14:41 pm »

Did you solve this?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 23, 2024, 03:12:52 am »

Quote from: franco on July 22, 2024, 09:16:57 am

And let's not make the connectivity audit a benchmark for automatic connectivity as it forces -4 / -6 for pkg for troubleshooting reasons only.

Cheers,
Franco

Sure, I guess at this point there is nothing I can do besides wait for another update to see if the IP_VERSION variable or the other two are effective?

24.7 Production Series / Re: KEA not respecting reservation

« on: July 22, 2024, 02:31:46 am »

I'd say that it is odd to me that what is a permanent lock between MAC address and IP in every other system I've used (Microsoft, Cisco, Ubiquity), that over rules the scope and locks the IP down to a particular device, is accomplished by having to manually carve out the IPs from the DHCP scope instead of just locking the IPs down to their assignment and keeping it simpler for the person doing the configuration.

23.7 Legacy Series / Re: Failure to update from 23

« on: July 21, 2024, 04:51:02 pm »

Quote from: charles.adams on July 21, 2024, 04:40:30 pm

Quote from: doktornotor on July 21, 2024, 08:13:07 am
See pkg.conf(5)

IP_VERSION
FETCH_RETRY
FETCH_TIMEOUT

Make a backup of /usr/local/etc/pkg.conf and experiments with the settings for your very much broken connectivity.

Setting IP_VERSION = 4 (per the man page should force ipv4 only use) it does not seem to change the results of the connectivity check in option 12 -> 'c' seen below:

Code: [Select]
OPNsense 24.4.1_3 *** GuestNetworkforWifiDevices (vlan01) -> v4: 192.168.69.1/32 IsolatedNetwork (vlan02) -> v4: 192.168.72.1/24 LAN (igc0) -> v4: 192.168.1.1/24 WAN (igc1) -> v4/DHCP4: *****/30 HTTPS: SHA256 **** 0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. Proceed with this action? [y/N]: c Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205 PING 89.149.211.205 (89.149.211.205): 1500 data bytes --- 89.149.211.205 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4 Updating OPNsense repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: .......... done Processing entries: .......... done OPNsense repository update completed. 849 packages processed. All repositories are up to date. Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5:: ping: UDP connect: No route to host Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4 Updating OPNsense repository catalogue... pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure repository OPNsense has no meta file, using default settings pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure Unable to update repository OPNsense Error updating repositories! Checking server certificate for host: opnsense-update.deciso.com depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R11 verify return:1 depth=0 CN = opnsense-update.deciso.com verify return:1 DONE Press any key to return to menu.
The other two options I don't see a way to test until the next BE update is availible?

So a question.

For the first variable that @doktornotor suggested, it seems the place to change it per the man page is at "/usr/local/etc/pkg/repos/OPNsense.conf" and pkg.conf located at /usr/local/etc/pkg.conf as the man page lists IP_VERSION as a variable at both locations? It doesn't explain which variable location is controlling or recommended?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 21, 2024, 04:40:30 pm »

Quote from: doktornotor on July 21, 2024, 08:13:07 am

See pkg.conf(5)

IP_VERSION
FETCH_RETRY
FETCH_TIMEOUT

Make a backup of /usr/local/etc/pkg.conf and experiments with the settings for your very much broken connectivity.

Setting IP_VERSION = 4 (per the man page should force ipv4 only use) it does not seem to change the results of the connectivity check in option 12 -> 'c' seen below:

Code: [Select]

OPNsense 24.4.1_3 ***

 GuestNetworkforWifiDevices (vlan01) -> v4: 192.168.69.1/32
 IsolatedNetwork (vlan02) -> v4: 192.168.72.1/24
 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: *****/30

 HTTPS: SHA256 ****

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: c

Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE

Press any key to return to menu.

The other two options I don't see a way to test until the next BE update is availible?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 21, 2024, 01:01:57 am »

Quote from: franco on July 20, 2024, 06:36:16 pm

You should check any of your ping times under a bit of load. The lost packets and retransmissions are likely going to make most downloads fail and destroy your ping success rate while at it.

Cheers,
Franco

While running https://speed.cloudflare.com/ below I also ran the packettest from the same site as before.

Code: [Select]

time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
1721516154312,download,100000,142.000067,1986274.1836265433,408.000067,69.999933,101300,
1721516159649,download,100000,84.00024400000001,4288079.120151823,189.000244,55.999756,101306,73.00018299999999
1721516159927,download,100000,83.000078,3822979.725507459,212.000078,56.999922,101309,
1721516160188,download,100000,80.00010900000001,4404562.608166715,184.000109,63.999891,101305,91.99998500000001
1721516160515,download,100000,87.000006,3448782.8906693733,235.00000599999998,55.999994,101308,
1721516160877,download,100000,96.000027,3001688.58872003,270.000027,52.999973,101307,
1721516161187,download,100000,98.000151,3377097.8752425867,240.00015100000002,57.999849,101313,193.00009
1721516161407,download,100000,81.00012000000001,5065546.200840348,160.00012,50.99988,101311,
1721516161724,download,100000,109.000223,3241949.108181395,250.000223,58.999777,101311,74.000006
1721516162010,download,100000,119.00010900000001,3787362.556904118,214.000109,63.999891,101312,
1721516162492,download,1000000,67.000067,20703500.29164207,387.000067,69.999933,1001532,209.00000599999998
1721516162993,download,1000000,67.999964,19168480.119773407,417.999964,62.000036,1001553,71.999933
1721516163427,download,1000000,97.999838,23427730.39559159,341.999838,80.000162,1001535,
1721516163798,download,1000000,67.000099,26184017.672491018,306.000099,53.999901,1001539,79.00012000000001
1721516164211,download,1000000,93.000202,23917239.30960495,335.000202,61.999798,1001535,191.999922
1721516164784,download,1000000,67.999922,16186507.601106249,494.99992199999997,68.000078,1001540,80.000202
1721516165206,download,1000000,106.000025,24353773.225397173,329.000025,75.999975,1001549,
1721516165571,download,1000000,70.000284,29676057.67407267,270.00028399999997,72.999716,1001568,69.999788
1721516166094,upload,100000,80.99997300000001,2892086.330935251,278,197.000027,1162,
1721516166579,upload,100000,83.999876,3941176.470588235,204,120.000124,1161,
1721516166784,upload,100000,87.000053,4165803.1088082893,193,105.999947,1159,
1721516167181,upload,100000,96.9998,3068702.2900763354,262,165.0002,1151,
1721516167597,upload,100000,84.000257,3510917.030567685,229,144.999743,1157,
1721516167798,upload,100000,92.999878,4231578.947368421,190,97.000122,1164,
1721516168207,upload,100000,95.00004999999999,3255060.728744939,247,151.99995,1150,
1721516168417,upload,100000,79.000042,4060606.0606060596,198,118.999958,1162,113.000038
1721516201397,upload,1000000,86.00026100000002,7584905.660377357,1060,973.999739,1165,242.999975 235.999966
1721516202597,upload,1000000,82.00006499999995,7657142.857142856,1050,967.999935,1166,303.999912
1721516203825,upload,1000000,97.99984600000005,7403314.91712707,1086,988.000154,1165,78.999924 396.99983
1721516204923,upload,1000000,106.99981500000001,7389705.88235294,1088,981.000185,1154,448.999924
1721516206213,upload,1000000,84.00010500000008,6733668.341708542,1194,1109.999895,1162,587.000111
1721516207414,upload,1000000,112.99994500000003,7805825.242718445,1030,917.000055,1155,77.00018299999999 444.000027
1721516209699,download,10000000,100.99998500000001,36411461.5769663,2197.999985,59.000015,10004049,357.000204 698.000069
1721516216108,download,10000000,74.99998500000001,12663017.751573617,6319.999985,59.000015,10003784,84.000006 76.000162 100.00030699999999 67.00018299999999 69.999945 71.000141 99.000038
1721516219759,download,10000000,73.00021,22717975.370203,3523.00021,94.99979,10004429,79.000162
1721516222775,download,10000000,99.000139,27457258.381969493,2915.000139,70.999861,10004739,86.000038
1721516225463,download,10000000,63.999933,31623947.103439137,2530.999933,55.000067,10005026,64.000034 99.99999600000001 90.00004799999999 79.999975 79.000193
1721516228168,download,10000000,93.999849,30745658.33368975,2602.999849,67.000151,10003868,113.000202 96.000162

Packetloss test:

Code: [Select]

Total Packet Loss: 0.00%
Upload Packet Loss: 0.00%
Download Packet Loss: 0.00%
Late Packet Rate: 0.00%

Average Latency: 83.12ms
Average Jitter: 7.66ms

Test Settings:
  Duration: 10 seconds
  Frequency: 15 pings/second
  Average Size: 220 bytes
  Acceptable Delay: 200ms

Details:
--------------
id,status,ping
1,success,76
2,success,159
3,success,98
4,success,79
5,success,73
6,success,78
7,success,80
8,success,84
9,success,81
10,success,81
11,success,72
12,success,73
13,success,76
14,success,83
15,success,82
16,success,94
17,success,87
18,success,74
19,success,81
20,success,86
21,success,84
22,success,76
23,success,98
24,success,74
25,success,87
26,success,75
27,success,76
28,success,72
29,success,84
30,success,75
31,success,74
32,success,76
33,success,90
34,success,123
35,success,82
36,success,81
37,success,86
38,success,74
39,success,99
40,success,87
41,success,76
42,success,74
43,success,83
44,success,73
45,success,73
46,success,80
47,success,72
48,success,80
49,success,72
50,success,97
51,success,77
52,success,90
53,success,69
54,success,92
55,success,81
56,success,89
57,success,89
58,success,80
59,success,78
60,success,82
61,success,71
62,success,87
63,success,87
64,success,77
65,success,76
66,success,81
67,success,92
68,success,85
69,success,95
70,success,79
71,success,86
72,success,76
73,success,75
74,success,72
75,success,72
76,success,89
77,success,79
78,success,81
79,success,79
80,success,80
81,success,84
82,success,77
83,success,83
84,success,105
85,success,93
86,success,93
87,success,96
88,success,85
89,success,87
90,success,78
91,success,98
92,success,73
93,success,73
94,success,89
95,success,93
96,success,80
97,success,86
98,success,90
99,success,69
100,success,82
101,success,85

Not great results but it's what I've got to work with and doesn't seem to be having any negative impact on Firefox's ability to download things nor access the rest of the internet (including this forum). Just the ability to reach the update for opnsense.

23.7 Legacy Series / Re: Failure to update from 23

« on: July 20, 2024, 04:49:32 pm »

Quote from: Monviech on July 20, 2024, 01:23:31 pm

Wow a 200-500ms ping? That will slow down TCP a whole lot. I bet there is also a lot of paket loss. This all combined makes anything TCP and internet related a really bad experience and most likely causes a lot of timeouts and retransmissions.

It doesn't seem to affect anything else and any other destination I've tried has much lower (less than 100 ms) ping times. It's only the deciso update server that seems to have this problem.

To https://packetlosstest.com/ New Jersey server:

Code: [Select]

Total Packet Loss: 0.00%
Upload Packet Loss: 0.00%
Download Packet Loss: 0.00%
Late Packet Rate: 0.00%

Average Latency: 83.86ms
Average Jitter: 6.84ms

Test Settings:
  Duration: 10 seconds
  Frequency: 15 pings/second
  Average Size: 220 bytes
  Acceptable Delay: 200ms

Details:
--------------
id,status,ping
1,success,89
2,success,80
3,success,78
4,success,78
5,success,81
6,success,73
7,success,83
8,success,82
9,success,83
10,success,83
11,success,90
12,success,88
13,success,95
14,success,83
15,success,73
16,success,79
17,success,85
18,success,80
19,success,80
20,success,75
21,success,87
22,success,80
23,success,75
24,success,85
25,success,85
26,success,79
27,success,85
28,success,86
29,success,80
30,success,74
31,success,90
32,success,81
33,success,74
34,success,117
35,success,78
36,success,76
37,success,81
38,success,74
39,success,80
40,success,76
41,success,74
42,success,92
43,success,83
44,success,76
45,success,91
46,success,84
47,success,73
48,success,82
49,success,73
50,success,75
51,success,79
52,success,71
53,success,83
54,success,79
55,success,72
56,success,77
57,success,90
58,success,79
59,success,80
60,success,72
61,success,91
62,success,98
63,success,101
64,success,77
65,success,78
66,success,83
67,success,81
68,success,82
69,success,84
70,success,82
71,success,99
72,success,87
73,success,79
74,success,79
75,success,94
76,success,91
77,success,93
78,success,96
79,success,77
80,success,73
81,success,99
82,success,85
83,success,130
84,success,84
85,success,78
86,success,79
87,success,83
88,success,77
89,success,96
90,success,90
91,success,84
92,success,73
93,success,93
94,success,98
95,success,76
96,success,82
97,success,81
98,success,73
99,success,84
100,success,77
101,success,84
102,success,89
103,success,93
104,success,81
105,success,76
106,success,96
107,success,104
108,success,88
109,success,91
110,success,97
111,success,89
112,success,73
113,success,79
114,success,81
115,success,100
116,success,75
117,success,84
118,success,79
119,success,83
120,success,87
121,success,78
122,success,86
123,success,98
124,success,109
125,success,91
126,success,83
127,success,75
128,success,81
129,success,76
130,success,93
131,success,73
132,success,85
133,success,84

To their German server:

Code: [Select]

Total Packet Loss: 0.00%
Upload Packet Loss: 0.00%
Download Packet Loss: 0.00%
Late Packet Rate: 0.00%

Average Latency: 170.80ms
Average Jitter: 5.73ms

Test Settings:
  Duration: 10 seconds
  Frequency: 15 pings/second
  Average Size: 220 bytes
  Acceptable Delay: 200ms

Details:
--------------
id,status,ping
1,success,175
2,success,167
3,success,162
4,success,175
5,success,177
6,success,171
7,success,166
8,success,162
9,success,173
10,success,172
11,success,164
12,success,167
13,success,173
14,success,176
15,success,166
16,success,186
17,success,165
18,success,176
19,success,163
20,success,162
21,success,173
22,success,176
23,success,184
24,success,180
25,success,166
26,success,164
27,success,166
28,success,171
29,success,175
30,success,165
31,success,196
32,success,174
33,success,166
34,success,166
35,success,161
36,success,174
37,success,168
38,success,176
39,success,163
40,success,168
41,success,162
42,success,166
43,success,167
44,success,176
45,success,174
46,success,177
47,success,162
48,success,170
49,success,164
50,success,167
51,success,166
52,success,182
53,success,165
54,success,163
55,success,175
56,success,175
57,success,165
58,success,168
59,success,168
60,success,167
61,success,172
62,success,177
63,success,184
64,success,171
65,success,174
66,success,170
67,success,172
68,success,174
69,success,165
70,success,173
71,success,179
72,success,166
73,success,167
74,success,176
75,success,168
76,success,177
77,success,173
78,success,162
79,success,181
80,success,172
81,success,164
82,success,182
83,success,162
84,success,175
85,success,170
86,success,177
87,success,159
88,success,167
89,success,171
90,success,167
91,success,177
92,success,167
93,success,186
94,success,161
95,success,162
96,success,166
97,success,170
98,success,168
99,success,167
100,success,168
101,success,167
102,success,168
103,success,162
104,success,176
105,success,168
106,success,173
107,success,171
108,success,183
109,success,174
110,success,196
111,success,168
112,success,162
113,success,171
114,success,166
115,success,171
116,success,171
117,success,173
118,success,165
119,success,170
120,success,163
121,success,175
122,success,163
123,success,164
124,success,167
125,success,192
126,success,179
127,success,166
128,success,166
129,success,188
130,success,180
131,success,174
132,success,160
133,success,177

24.7 Production Series / Re: Firewall ‣ Aliases: URL: Spamhaus: Create Alias from JSON format

« on: July 20, 2024, 03:05:26 am »

Quote from: Cerberus on June 24, 2024, 05:17:27 pm

I would like to see json support. Currently i get my Microsoft Azure Service List json with https://github.com/thedxt/IP-Downloader. Love to see something like that in OPNsense.

It would be nice, I'm sure they will support it before Spamhaus drops the text tables?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 20, 2024, 12:10:15 am »

Quote from: franco on July 19, 2024, 11:00:54 am

I think it further indicates that there is a local issue with your Internet connection or network equipment or cabling in front of the OPNsense. Doesn't appear to be the disk or the device or the mirror.

And frankly let's ignore the IPv6 health audit errors when IPv6 is disabled anyway. It's purely diagnostic telling us IPv6 doesn't work which is... true.

Cheers,
Franco

I've tried swapping the .5 meter cable that went from the Netgear Nighthawk M6 Pro to the DEC850vs with a different cable. It made no change.

I have tried using serial terminal option 7 and several sites and it doesn't show packet loss but using command 'c' in option 12 does.

Code: [Select]

OPNsense 24.4.1_3 ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: ******/30

 HTTPS: SHA256 ****

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 7


Enter a host name or IP address: www.google.com

PING www.google.com (142.250.191.228): 56 data bytes
64 bytes from 142.250.191.228: icmp_seq=0 ttl=115 time=64.835 ms
64 bytes from 142.250.191.228: icmp_seq=1 ttl=115 time=89.934 ms
64 bytes from 142.250.191.228: icmp_seq=2 ttl=115 time=89.795 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 64.835/81.521/89.934/11.799 ms

Press ENTER to continue.


*** lurch.adams.fun: OPNsense 24.4.1_3 ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: *****/30

 HTTPS: SHA256 *****

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: c

Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE

Press any key to return to menu.

*** lurch.adams.fun: OPNsense 24.4.1_3 ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: *****/30

 HTTPS: SHA256 *****

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 7


Enter a host name or IP address: www.bing.com

PING e86303.dscx.akamaiedge.net (23.209.37.106): 56 data bytes
64 bytes from 23.209.37.106: icmp_seq=0 ttl=55 time=73.048 ms
64 bytes from 23.209.37.106: icmp_seq=1 ttl=55 time=108.998 ms
64 bytes from 23.209.37.106: icmp_seq=2 ttl=55 time=89.823 ms

--- e86303.dscx.akamaiedge.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 73.048/90.623/108.998/14.687 ms

Press ENTER to continue.


*** lurch.adams.fun: OPNsense 24.4.1_3 ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: *******/30

 HTTPS: SHA256 ***

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 7


Enter a host name or IP address: opnsense.org

PING opnsense.org (178.162.131.118): 56 data bytes
64 bytes from 178.162.131.118: icmp_seq=0 ttl=50 time=151.912 ms
64 bytes from 178.162.131.118: icmp_seq=1 ttl=50 time=169.263 ms
64 bytes from 178.162.131.118: icmp_seq=2 ttl=50 time=174.856 ms

--- opnsense.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 151.912/165.343/174.856/9.768 ms

Press ENTER to continue.

I even tried deciso.com:

Code: [Select]

Enter an option: 7


Enter a host name or IP address: deciso.com

PING deciso.com (178.162.136.178): 56 data bytes
64 bytes from 178.162.136.178: icmp_seq=0 ttl=50 time=153.909 ms
64 bytes from 178.162.136.178: icmp_seq=1 ttl=50 time=174.483 ms
64 bytes from 178.162.136.178: icmp_seq=2 ttl=50 time=187.436 ms

--- deciso.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 153.909/171.942/187.436/13.805 ms

Press ENTER to continue.

Code: [Select]

Enter an option: 7


Enter a host name or IP address: opnsense-update.deciso.com

PING opnsense-update.deciso.com (89.149.211.205): 56 data bytes
64 bytes from 89.149.211.205: icmp_seq=0 ttl=50 time=488.380 ms
64 bytes from 89.149.211.205: icmp_seq=1 ttl=50 time=179.525 ms
64 bytes from 89.149.211.205: icmp_seq=2 ttl=50 time=178.570 ms

--- opnsense-update.deciso.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 178.570/282.158/488.380/145.821 ms

Press ENTER to continue.

When I run option 12 command 'c' it always loses packets but not when I directly ping?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 19, 2024, 07:39:39 am »

Quote from: newsense on July 19, 2024, 06:21:23 am

No, your public IP is not needed as long as it is public and you're not dropping traffic because of a private IP on the WAN and the improper settings on the interface.

So...if all looks good, what happens when you run this command ?

Code: [Select]
pkg update && pkg install nano

it works:

Code: [Select]

~ # pkg update && pkg install nano
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%  241 KiB 246.5kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%  241 KiB 246.5kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        nano: 8.0

Number of packages to be installed: 1

251 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching nano-8.0.pkg: 100%  251 KiB 257.5kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing nano-8.0...
[1/1] Extracting nano-8.0: 100%

But the coms check still doesn't:

Code: [Select]

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: c

Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE

Press any key to return to menu.

The updates didn't fail at the start but after several packages had been downloaded. With enough persistance I was able to get through an update completely so I'm up to 24.4 now but I'd like to fix this before having to reopen the thread next time there is a BE patch.

23.7 Legacy Series / Re: Failure to update from 23

« on: July 19, 2024, 06:04:16 am »

Quote from: newsense on July 19, 2024, 03:50:22 am

Try two more things please:

WAN interface

- make sure Block private networks is unchecked (unsure what IP you have on wan)

- IPv6 Configuration Type set to None

Already set that way before the thread was started:

Before I found how to set the Netgear Nighthawk M6 Pro to pass through the public IP I had to set it that way as it was providing a private IP range.

Would my public IP be useful?

23.7 Legacy Series / Re: Failure to update from 23

« on: July 19, 2024, 03:12:58 am »

Quote from: franco on July 18, 2024, 02:51:10 pm

So I tried the upgrade from a fresh 23.10 install and it ran fine to 23.10.3 and health audit is ok. I'm sure it's not the mirror either so there has to be a local issue of some sort but I have no idea what it could be.

for some reason I still suspect a disk-related issue and it would be useful to post the usage stats (df -h).

Cheers,
Franco

Out put from 'df -h' in the serial terminal shell:

Code: [Select]

~ # df -h
Filesystem                   Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default           222G    2.5G    220G     1%    /
devfs                        1.0K    1.0K      0B   100%    /dev
/dev/gpt/efifs               256M    888K    255M     0%    /boot/efi
zroot/var/audit              220G     96K    220G     0%    /var/audit
zroot/var/tmp                220G     96K    220G     0%    /var/tmp
zroot/tmp                    220G    7.4M    220G     0%    /tmp
zroot/usr/src                220G     96K    220G     0%    /usr/src
zroot/usr/ports              220G     96K    220G     0%    /usr/ports
zroot                        220G     96K    220G     0%    /zroot
zroot/usr/home               220G     96K    220G     0%    /usr/home
zroot/var/log                220G     87M    220G     0%    /var/log
zroot/var/crash              220G    100K    220G     0%    /var/crash
zroot/var/mail               220G    152K    220G     0%    /var/mail
devfs                        1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                        1.0K    1.0K      0B   100%    /var/unbound/dev
/usr/local/lib/python3.11    222G    2.5G    220G     1%    /var/unbound/usr/local/lib/python3.11
/lib                         222G    2.5G    220G     1%    /var/unbound/lib

23.7 Legacy Series / Re: Failure to update from 23

« on: July 19, 2024, 03:06:59 am »

Quote from: newsense on July 18, 2024, 03:39:05 am

IPv6 is causing the issue there.

Quote
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!

Go to System-Settings-General and make sure Prefer to use IPv4 even if IPv6 is available is checked. Save settings and try to update again.

https://<Your IP here>/system_general.php

Just checked and that check box was already checked before I started this thread.

I have been repeatedly using "pkg clean -ya" and then option 12 in the serial console and have managed to get it to 24.4 branch with enough persistence.

Code: [Select]

*** *********.*****,**** : OPNsense 24.4.1_3 ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      -> v4/DHCP4: **.***.**.**/30

 HTTPS: SHA256 *****

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: c

Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 849 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/SUBSCRIPTION/FreeBSD:13:amd64/24.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE

Press any key to return to menu.

It does seem to be something to do with the stability of the connection or the resolution of the address given how this seems to be intermittent.

Pages: [1] 2